Cryptomining attacks against Apple devices increase sharply

Check Point has published its latest Global Threat Index for September 2018, revealing a near-400% increase in cryptomining malware attacks against Apple iPhones. These attacks are using the Coinhive mining malware, which continues to occupy the top position in the Index that it has held since December 2017.

Coinhive now impacts 19% of organizations worldwide. Check Point’s researchers also observed a significant increase in Coinhive attacks against PCs and devices using the Safari browser, which is the primary browser used by Apple devices. The ‘Cryptoloot’ mining malware climbed to 3rdth place in the Threat Index, becoming the second most prevalent crypto-miner in the index. Cryptoloot aims to compete with Coinhive by asking a smaller revenue percentage from websites than Coinhive.

“Cryptomining continues to be the dominant threat facing organizations globally,” Maya Horowitz, Threat Intelligence Group Manager at Check Point commented. “Attacks such as these serve as a reminder that mobile devices are an often-overlooked element of an organization’s attack surface, so it’s critical that these devices are protected with a comprehensive threat prevention solution, to stop them being the weak point in corporate security defenses.”

In September, Dorkbot – the trojan that steals sensitive information and launches denial-of-service attacks, remained in second place with a global impact of 7%.

September 2018’s top 3 most wanted

1. Coinhive – Crypto-miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. The implanted JavaScript uses a great deal of the resources of end users’ machines to mine coins, and may crash the system.

2. Dorkbot – the worm designed to allow remote code execution as well as downloading an additional malware to the infected system.

3. Cryptoloot – Crypto-miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a lower percentage of revenue from websites.

Once again, Lokibot, an Android banking Trojan and info-stealer, was the most popular malware used to attack organizations’ mobile estates followed by the Lotoor and Triada.

September’s top 3 most wanted mobile malware

1. Lokibot – Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone in case its admin privileges are removed.

2. Lotoor – Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.

3. Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.

Check Point researchers also analyzed the most exploited cyber vulnerabilities. In first place was CVE-2017-7269, with a global impact of 48%. In the second place was CVE-2017-5638 with a global impact of 43%, closely followed by Web servers PHPMyAdmin Misconfiguration Code Injection impacting 42% of organizations.

September’s top 3 most exploited vulnerabilities

1. Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.

1. OpenSSL tls_get_message_body Function init_msg Structure Use After Free (CVE-2016-6309) – A use-after-free vulnerability has been reported in the tls_get_message_body function of OpenSSL. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted message to the vulnerable server. Successful exploitation allows the attacker to execute arbitrary code on the system.

2. Web servers PHPMyAdmin Misconfiguration Code Injection – A code injection vulnerability has been reported in PHPMyAdmin. The vulnerability is due to PHPMyAdmin misconfiguration. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the target.